Tuesday, December 30, 2014

A number of news articles are reporting that the hack of Sony Pictures may have involved insiders.

CBS News says that cybersecurity experts are questioning if North Korea was actually behind the Sony Pictures cyberattack. The FBI has been briefed by a security firm who believes Sony insiders, possibly in the payroll and accounting departments, were key to implementing one of the most devastating attacks in history.

"[The insider] had both the access and the means to leak the sensitive Sony material." - GotNews.com

Such devastation by malicious insiders who inappropriately access or leak data can be avoided by proactive detection with low-cost on-demand SaaS analytics services.

Tuesday, December 23, 2014

A billing specialist at a Kentucky medical practice stole patient identities and used the information to secure loans from online lenders for her own use.

She had been indicted by a federal grand jury on identity theft and using patient information under false pretenses in violation of the Health Insurance Portability and Accountability Act (HIPAA). Last week she pleaded guilty to some of the charges.

It is unclear why the identity thefts went on for over two years. Healthcare organizations seeking to proactively detect identity theft and privacy data breaches can utilize low-cost on-demand SaaS analytics services.

Monday, December 22, 2014

A Boston hospital has agreed to pay a $40,000 settlement and take action to prevent future breaches that affect patients' private data. The consent judgment alleges the hospital failed to protect the personal information and protected health information of more than 2,000 patients.

The Massachusetts attorney general, Martha Coakley, has been one of the most active state attorneys general when it comes to pursuing breaches.

"Healthcare providers must ensure that the privacy and security of sensitive patient information is protected." - Attorney General Martha Coakley

Regulatory agencies such as the NY Department of Financial Services as well as the Commodity Futures Trading Commission have recently stated that closer examination of the cybersecurity practices of organizations they oversee will be a priority.

"...the Department will take a close look at banks’ data breach detection abilities." - Memorandum, NY State Department of Financial Services

Thursday, December 18, 2014

A Virgina woman has been sentenced to five years in prison for stealing patients' identities and using the information to access existing credit cards or create new ones.

The personal information of about 200 patients was stolen from October 2012 through September 2013, according to court documents.

"[She] conspired, from October 2012 through September 2013, to steal the identities of at least 200 medical patients." - US District Court documents

It is unclear why the ID thefts went on for almost a year or who discovered them. Organizations seeking proactive detection of identity theft and privacy data breaches can utilize low-cost on-demand SaaS analytics services.

Tuesday, December 16, 2014

A Florida hospital was unaware of the theft of patients' data until law enforcement notified them.

The stolen stole personal information (PII) included patients' name, address, some social security numbers, date of birth, and limited insurance or medical information.

"the [data] thefts occurred in 2012 and 2013 but were not reported to the US Attorney's office until August 2014."

- PHIprivacy.net

Unfortunately identity theft and data breaches are often first discovered by law enforcement rather than the organization holding the PII. Organizations seeking proactive detection of privacy breaches can utilize low-cost on-demand SaaS analytics services.

Monday, December 15, 2014

A lab technician at an Alabama hospital has been sentenced to two years in federal prison for his role in an identity theft tax refund fraud scheme.

The US Attorney's office said the technician, along with other people, stole patients' medical records which contained personal identification information (PII). He used the PII to file over 100 fradulent tax returns.

Thursday, December 11, 2014

A registered nurse (RN) at a Florida hospital emergency room has been arrested for stealing patient identities and using the information to purchase items and having them sent to her home. She has also been fired by the hospital.

Law enforcement discovered that this hospital insider was a suspect during their investigation of separate fraudulent credit card cases.

Rather than learn about ID theft from law enforcement or other third parties, healthcare organizations can proactively detect identity theft and privacy data breaches with low-cost on-demand SaaS analytics services.

Wednesday, December 10, 2014

A mental health organization in Alaska must pay a $150,000 Department of Health and Human Services (HHS) fine for HIPAA breaches that affected 2,743 patients. In addition to the monetary fine HHS is requiring implementation of a corrective action plan and reporting to OCR on its compliance program.

This latest fine is indicative of continued enforcement by the Office of Civil Rights (OCR). To date they have levied $26 million in monetary settlements against 24 HIPAA-covered entities found to have violated privacy, security and breach notification rules.

"HIPAA security policies and procedures...were not followed by the organization's employees for a seven-year period, from 2005 to 2012." - Healthcare IT News

Monday, December 8, 2014

A New York radiologist has been arrested for breaching the privacy of 97,000 patients by inappropriately accessing their confidential data.

The physician said he accessed and copied the patient information from multiple offices where he worked because he was planning to start a competing medical practice, according to District Attorney Kathleen Rice's office. DA Rice is calling for a change in state law to permit tougher charges in such cases. And a privacy attorney says federal charges for HIPAA violations might be appropriate in the case.

"Physicians are regularly entrusted with the health and well-being of their patients, so the abuse of trust in this case is particularly outrageous." - District Attorney, Nassau County, NY

It is unclear why the data thefts went on for four months. Healthcare organizations can proactively detect identity thefts and data breaches with low-cost on-demand SaaS analytics services.

Friday, December 5, 2014

A Florida hospital reported its privacy third breach in two years, according to the Department of Health and Human Services (HHS).

In this latest breach an employee stole the identities of about 82,601 patients over a three year period. That information included names, dates of birth and Social Security numbers which can be used to file fraudulent tax returns, as one patient has already reported.

"the start date the latest data breach is exactly one day after a former data breach ended that impacted 2,560 individuals." - Local 10 News

It is unclear why the identity thefts went on for two years. Healthcare organizations can proactively detect identity thefts and privacy breaches with low-cost on-demand SaaS analytics services.

Thursday, December 4, 2014

A New York bank branch manager has plead guilty to identity theft and theft of public funds. He used customers' personal information (PII)to file fraudulent tax returns and then cashed the refund checks.

For three years, from 2010 through 2013, he stole $442,642.58 from the US Treasury, which as part of his plea he'll repay. He is scheduled to be sentenced in March of 2015.

"From approximately 2010 through 2013, Mejia participated in a scheme to fraudulently obtain and cash tax refund checks issued by the United States Treasury." -US Attorney's Office, Southern District, New York

It is unclear why the identity thefts went on for three years and how they were discovered. Organizations seeking proactive detection of identity theft and privacy breaches can utilize low-cost on-demand SaaS analytics services.

Wednesday, December 3, 2014

A Florida hospital has notified patients that three years ago a then employee accessed their personal information outside his normal job duties. The hospital learned of the breach when law enforcement alerted them.

This insider theft of identity information in 2011 included patients' names, dates of birth,and Social Security numbers. Hundreds of warning letters are being sent to patients.

"The breaches of patients' private information occurred three years ago."

Rather than learn about identity theft and privacy breaches from law enforcement, healthcare organizations can proactively detect them with low-cost on-demand SaaS analytics services.

Tuesday, December 2, 2014

Two employees breached the privacy of 112 patients; they no longer work at the hospital.

The hospital stated the two employees “used their access privileges to the electronic health record (EHR) for unauthorized reasons — that is to satisfy their curiosity about patients with whom they had no care relationship.”

Reportedly the breaches were discovered after a third party approached the hospital's privacy office with allegations of inappropriate access to personal information. Rather than learn about privacy breaches from third parties, healthcare organization can detect them proactively with low-cost on-demand SaaS analytics services.

The breach was not discovered until the hospital looked into an allegation of unauthorized access to its EMR. University Hospitals discovered Oct. 2 that the access occurred from January 2011 through June 2014. Healthcare organizations seeking to proactively detect privacy breaches, rather than have third parties bring them to their attention, can utilize low-cost on-demand SaaS analytics services.

Wednesday, November 26, 2014

Twenty-four staff of the Judicial Investigation Department in Costa Rica are being investigated for improperly using the department's database to access personal information about Real Madrid and their goalkeeper Keylor Navas.

While it seems the inappropriate access of Navas' information was motivated by curiosity such use of the database is not authorized according to the department head Francisco Segura.

"there was no justification for their actions as agents only have authority to access the "information platform" during an investigation."

The HHS summary notes that the hospital sanctioned the physician and implemented new security policies and procedures. Proactive privacy breach detection can be accomplished with low-cost on-demand SaaS analytics services.

Monday, November 24, 2014

A national bank has filed a suit against a competing institution claiming they hired one of their employees to steal customer information.

For a month before the employee left his position with the plaintiff he sent confidential information to his new employer. The new employer had set up an email account to receive customer names, tax returns, credit approvals, and other documents

"he transferred numerous tax returns, credit approvals and other documents from [the bank's] customers to his next employer in the weeks before he resigned" - The New Jersey Law Journal

While the breaches of confidential information were discovered by a forensic review after the employee left they could have been detected proactively with low-cost on-demand SaaS analytics services.

Friday, November 21, 2014

While employed at two Detroit hospitals, a woman stole hundreds of patient identities and used the information to file fraudulent tax returns.

According to the US Attorney's office at least 305 people were identity theft victims and the scam netted $500,000 in refunds for the woman and her accomplice.

"...technology has made it easier than ever for [criminals] to commit identify fraud...." - US Attorney Barbara McQuade

It is unclear when the identity thefts started or when the were discovered. Healthcare organizations seeking proactive detection of identity thefts can utilize low-cost on-demand SaaS analytics services.

Thursday, November 20, 2014

A former Tampa Florida banker, who pleaded guilty in August 2014 to identity theft, was sentenced to seven and a half years in prison and a fine of $1.17 million.

While working at the bank she opened 292 bank accounts using 146 stolen identities. The sole purpose of the accounts was to launder fraudulently obtained federal income tax refund checks obtained by several co-conspirators, according to court documents.

It is unclear over what period of time the identity thefts occurred or how they were discovered. Organizations seeking to proactively detect identity thefts and privacy data breaches can utilize low-cost on-demand SaaS analytics services.

Wednesday, November 19, 2014

A UK pharmacist has been prosecuted by the Information Commissioner’s Office (ICO) after "unlawfully accessing the medical records of family members, work colleagues and local health professionals."

While working at two different healthcare clinics, he misused his computer access to snoop on people not included on the patients he was assigned to work on. Unlawfully obtaining or accessing personal data is a criminal offence under the UK's Data Protection Act.

The agency only discovered the breach after someone outside the ministry filed a complaint; it is unclear when the breach occurred. Rather than learn of inappropriate access from third parties, organizations can proactively detect such data breaches by utilizing low-cost on-demand SaaS analytics services.

Monday, November 17, 2014

A survey of the National Health Service (NHS) by a privacy group found there had been 7,255 breaches, on average six times a day, of data protection rules in three years.

In at least 143 cases patients' private records were inappropriately accessed by NHS staff for "personal reasons." The watchdog group said the situation appeared to have “worsened” since a similar survey in 2011.

"There were also at least 143 cases when patients’ private records were accessed in appropriately by NHS staff for 'personal reasons'." - Big Brother Watch

Emma Carr, director of Big Brother Watch, noted that information in medical records is of huge personal significance and for details to be maliciously accessed is completely unacceptable. She said urgent action is needed to ensure that medical records are kept safe. Healthcare organizations seeking proactive detection of data privacy breaches can utilize low-cost on-demand SaaS analytics services.

Friday, November 14, 2014

Several Florida resort staff have been arrested for stealing guests' credit card information and going on shopping sprees.

The ring leader of the group allegedly used his and other employees' passwords to access the resort's computer system. He then purchased and resold goods with the stolen information.

"The alleged ring leader used his and other employees' passwords to access the computer system." - Keynoter and Reporter Newspapers

The thefts of guests' credit card information was discovered when victims contacted police about fraudulent charges on their cards. Rather than learn about such thefts from third parties, organizations can proactively detect them by utilizing low-cost on-demand SaaS analytics services.

Thursday, November 13, 2014

An terminated employee of a Kentucky hospital improperly accessed patient information on a billing database maintained by a third-party company. Names, addresses, dates of birth, and in some cases Social Security numbers and diagnosis, of 697 patients were breached.

While the breaches were discovered during an audit in April 2014 they had been going on for a year, between April 2013 and March 2014. The former employee's logon credentials to this outside vendor had not been disabled.

"When an employee is terminated, their login credentials to vendors’ databases with PHI must also be terminated. How often do you verify that it is actually being terminated properly?." - PHI Privacy

Healthcare organizations seeking to rapidly confirm all access has been disabled, rather than depending on an occasional audit, can utilize low-cost on-demand SaaS access analytics services.

Tuesday, November 11, 2014

A Kansas man, while employed as an operations manager of a consumer finance company, stole customers' personally identifiable information (PII) and credit card numbers. He has been sentenced to three years in prison.

He used various employee credentials to login to his employer's databases and transfer account numbers and information including customers’ names, dates of birth and Social Security numbers in exchange for Bitcoins.

"he sold the account numbers in batches of 40 for $1,000." - US Secret Service investigators."

Monday, November 10, 2014

The Office of the Inspector General (OIG) will continue to pay close attention to the healthcare industry's use of electronic health records (EHRs) – in particular HIPAA security, EHR incentive payments and fraud, according to their 2015 work plan.

"OIG will need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and that are tailored to protect programs and patients from existing and new vulnerabilities," stated Daniel R. Levinson, U.S. inspector general.

"The EHR audits are coming." - Healthcare IT News

To date, $25 billion have been paid to healthcare providers as incentives to use EHRs. In 2015 the OIG will "perform audits of various covered entities receiving EHR incentive payments from the Centers for Medicare and Medicaid (CMS) and their business associates to determine whether they adequately protect electronic health information created or maintained by certified EHR technology." Healthcare organizations and business associates can proactively protect health data from identity theft and privacy breach by utilizing low-cost on-demand SaaS analytics services.

Friday, November 7, 2014

A Nebraska hospital fired two staff members for violating the privacy of a man that was being treated for Ebola.

The workers unauthorized accessed the patient's medical records. The hospital noted that the employees' actions violated federal patient privacy regulations, leading to their firing and "other corrective action."

"Prying eyes in health care an all too common problem." - LiveWellInNebraska.com

The privacy breaches were discovered during an audit of the hospital's electronic medical records (EHR). Rather than monitor access to only VIP patient records hospitals can audit staff access to all patient records by utilizing low-cost on-demand SaaS analytics services.

Thursday, November 6, 2014

People like to think they can trust people who represent organizations and companies they deal with but unfortunately there are some people who abuse their privileged access to your sensitive data.

An article in Business Insider enumerates the extensive variety of insiders who have stolen identities from their customers or clients such as accountants, healthcare workers, police, bank tellers, employers, and government workers.

"there are very few people you can trust with your personal information, and even some of the people you’re closest to could potentially betray your confidence." - Business Insider

Organizations in every industry can proactively protect their clients and customers from insider identity theft by utilizing low-cost on-demand SaaS analytics services.

Wednesday, November 5, 2014

Incentive payments to hospitals and professionals participating in the meaningful use program have topped $25 billion as of the end of the third quarter of 2014, according the the Centers for Medicare and Medicaid (CMS).

"The ONC expects the attestation numbers to increase as most providers wait until the "last minute" to attest." - Dawn Heisey-Grove, Office of the National Coordinator for Health IT

The use of EHRs is expected to improve the quality of healthcare. However, their use may also facilitate the theft of patients' identities and medical information. Healthcare organizations seeking to proactively detect identity theft and data privacy breaches can utilize low-cost on-demand SaaS analytics services.

Tuesday, November 4, 2014

An employee of a medical recruitment agency was arrested for stealing the personally identifiable information (PII) of some 17,000 physicians and nurses.

The stolen data included names, addresses, dates of birth, academic records, and workplace details. As he is believed to have been involved in a project to found a new recruitment agency, after quitting his former position, this sounds like a another case of insider theft to help start a competing firm.

"this sounds like another case of insider theft to help start a competing firm." - DataBreaches.net

It is unclear how the breach was discovered. Organizations seeking to proactively detect theft of identities or intellectual property can utilize low-cost on-demand SaaS analytics services.

Monday, November 3, 2014

A patient registration specialist at a Texas hospital stole thousands of patients' identities so the he could use them to build a home health care business he founded in 2006.

He had his company's employees use the stolen information to cold call seniors for services they didn't need or could not qualify for. His home health business then submitted fraudulent bills to Medicare and Medicaid

"Authorities say he misused the private information of more than 3,000 patients." - Dallas News

It is unclear over how many years the identity thefts occurred. The hospital learned of the ID thefts when a worker at the home health business contacted police to report the owner had patient lists from the hospital. Healthcare organizations can proactively detect identity thefts and privacy data breaches, rather than learn about them from third parties, by utilizing low-cost on-demand SaaS analytics services.

Friday, October 31, 2014

Legal consultants maintain that a great deal may be at stake for employers and benefit managers when data breaches occur in health care provider systems.

A health record is far more valuable than information stolen from a financial institution, according to Charles E. Harrell, partner at Duane Morris. “An electronic health record (EHR) would have enough information that you could create a false identity pretty quickly.”

"Employers have to be particularly mindful of the fact that people are out there trying to steal information." - Charles E. Harrell, partner, Duane Morris

For employers, which administer health care coverage, payroll and other benefit systems, Harrell says “there’s a lot that we have to do.” A 2013 survey by Employee Benefit Research Institute found 156 million people had employment-based health benefits.

“Employers have to be particularly mindful of the fact that people are out there trying to steal information," says Harrell. Organizations seeking to proactively detect identity theft and privacy data breaches can utilize low-cost on-demand SaaS analytics services.

Thursday, October 30, 2014

The parents of a boy who shot classmates at school have filed a lawsuit against the New Mexico hospital where he was treated claiming not enough was done to protect the privacy of their son's medical record.

The boy's medical record was inappropriately accessed by eight of the hospital staff. The parents are seeking compensatory and punitive damages from the hospital for "gross and reckless disregard of their son's rights.

"Eight staff members had "gross and reckless disregard of [his privacy] rights" when he was a patient at the hospital ." - News 4, Albuquerque